1. 安装 acme.sh
curl https://get.acme.sh | sh -s [email protected]
2. 生成证书
2021年8月1号acme.sh的默认证书签发机构由letsencrypt换成了zerossl。
使用这个命令可以切换回使用letsencrypt作为默认的签发机构
acme.sh --set-default-ca --server letsencrypt
或者手动指定
acme.sh --issue -d blog.were.moe -w /srv/http/blog.were.moe --keylength ec-256 --server letsencrypt
我这里不做修改,使用了默认的zerossl,并额外指定使用比RSA更强的ECC加密算法
# 网站域名 网站根目录 指定使用ECC加密算法
acme.sh --issue -d blog.were.moe -w /srv/http/blog.were.moe --keylength ec-256
3. 给证书一个新家
# 证书放置的目录
mkidr /srv/http/ssl && chown nginx:nginx /srv/http/ssl
# 我的web服务器软件用的是nginx,使用chown修改目录的用户和用户组为nginx的运行组和用户
4. 复制/安装 证书(nginx)
acme.sh --install-cert -d blog.were.moe --ecc \
--key-file /srv/http/ssl/key.pem \
--fullchain-file /srv/http/ssl/cert.pem \
--reloadcmd "service nginx force-reload"
5.修改nginx的配置
server {
listen 80;
listen 443 ssl http2 default_server;
listen [::]:80;
listen [::]:443 ssl http2;
root /srv/http/blog.were.moe;
index index.html index.htm index.php;
charset utf-8;
access_log /var/log/nginx/blog.were.moe.access.log main;
ssl_certificate "/srv/http/ssl/cert.pem"; # 证书公钥路径
ssl_certificate_key "/srv/http/ssl/key.pem"; # 证书私钥路径
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;
ssl_session_tickets off;
ssl_protocols TLSv1.3 TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
#ssl_dhparam /path/to/dhparam;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
#ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
# replace with the IP address of your resolver
resolver 8.8.8.8;
error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}